cbcvebase.
CVE-2020-13756
published 2020-06-03

CVE-2020-13756: Sabberworm PHP CSS Parser before 8.3.1 calls eval on uncontrolled data, possibly leading to remote code execution if the function allSelectors() or…

PriorityP184critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWVulnCheck KEV
Exploited in the wild
EPSS
55.08%
98.9th percentile
Sabberworm PHP CSS Parser before 8.3.1 calls eval on uncontrolled data, possibly leading to remote code execution if the function allSelectors() or getSelectorsBySpecificity() is called with input from an attacker.

Affected

15 ranges
VendorProductVersion rangeFixed in
debianphp-horde-css-parser< php-horde-css-parser 1.0.11-8+deb11u1 (bullseye)php-horde-css-parser 1.0.11-8+deb11u1 (bullseye)
sabberwormphp-css-parser>= 1.0.0 < 1.0.11.0.1
sabberwormphp-css-parser>= 2.0.0 < 2.0.12.0.1
sabberwormphp-css-parser>= 3.0.0 < 3.0.13.0.1
sabberwormphp-css-parser>= 4.0.0 < 4.0.14.0.1
sabberwormphp-css-parser>= 5.0.0 < 5.0.95.0.9
sabberwormphp-css-parser>= 5.1.0 < 5.1.35.1.3
sabberwormphp-css-parser>= 5.2.0 < 5.2.15.2.1
sabberwormphp-css-parser>= 6.0.0 < 6.0.26.0.2
sabberwormphp-css-parser>= 7.0.0 < 7.0.47.0.4
sabberwormphp-css-parser>= 8.0.0 < 8.0.18.0.1
sabberwormphp-css-parser>= 8.1.0 < 8.1.18.1.1
sabberwormphp-css-parser>= 8.2.0 < 8.2.18.2.1
sabberwormphp-css-parser>= 8.3.0 < 8.3.18.3.1
sabberwormphp_css_parser< 8.3.18.3.1

Detection & IOCsextracted from sources · hover to see the quote

  • Vulnerable code path: exploitation requires calling allSelectors() or getSelectorsBySpecificity() with attacker-controlled input, which triggers an unsafe eval() on uncontrolled CSS data
  • The root cause is an eval() call on uncontrolled CSS parser input; monitor PHP process logs for unexpected eval() execution originating from CSS parsing code paths
  • Patch reference commit for diff-based detection or file integrity monitoring: upstream fix at GitHub commit 2ebf59e8bfbf6cfc1653a5f0ed743b95062c62a4
  • ·Vulnerability only triggers when attacker-controlled input is passed to allSelectors() or getSelectorsBySpecificity(); deployments that do not expose these functions to untrusted input are not directly exploitable
  • ·Affected versions are Sabberworm PHP CSS Parser before 8.3.1; Debian bullseye ships a patched version (1.0.11-8+deb11u1) while bookworm remains open as of source publication date

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
osv9.8CRITICAL
vulncheck9.8CRITICAL
vendor_debian9.8CRITICAL
vendor_ubuntu9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.